Django 1.8.4 release notes
August 18, 2015
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
Denial-of-service possibility in logout()
view by filling session store
Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout()
view (provided it wasn’t decorated with login_required()
as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.
The SessionMiddleware
has been modified to no longer create empty session records, including when SESSION_SAVE_EVERY_REQUEST
is active.
Bugfixes
- Added the ability to serialize values from the newly added
UUIDField
(#25019). - Added a system check warning if the old
TEMPLATE_*
settings are defined in addition to the newTEMPLATES
setting. - Fixed
QuerySet.raw()
soInvalidQuery
is not raised when using thedb_column
name of aForeignKey
field withprimary_key=True
(#12768). - Prevented an exception in
TestCase.setUpTestData()
from leaking the transaction (#25176). - Fixed
has_changed()
method incontrib.postgres.forms.HStoreField
(#25215, #25233). - Fixed the recording of squashed migrations when running the
migrate
command (#25231). - Moved the unsaved model instance assignment data loss check to
Model.save()
to allow easier usage of in-memory models (#25160). - Prevented
varchar_patterns_ops
andtext_patterns_ops
indexes forArrayField
(#25180).